When an attacker has managed to gain access on a system one of his first moves is to search the entire system in order to discover credentials for the local administrator account which it will allow him to fully compromise the box. This is of course the easiest method of escalating privileges in a Windows system and the purpose of this article is to examine some common places of where these credentials might exist in order to assist with this process.

Windows Files

It is very common for administrators to use Windows Deployment Services in order to create an image of a Windows operating system and deploy this image in various systems through the network. This is called unattended installation. The problem with unattended installations is that the local administrator password is stored in various locations either in plaintext or as Base-64 encoded. These locations are:

There is a Metasploit module which can discover credentials via unattended installations:

post/windows/gather/enum_unattend

If the system is running an IIS web server the web.config file should be checked as it might contain the administrator password in plaintext. The location of this file is usually in the following directories:

Local administrators passwords can also retrieved via the Group Policy Preferences. The Groups.xml file which contains the password is cached locally or it can be obtained from the domain controller as every domain user has read access to this file. The password is in an encrypted form but Microsoft has published the key and it can be decrypted.

VNC

Administrators some times tend to use VNC software instead of Windows Terminal Services for remote administration of the system. The password is encrypted but there are various tools that can decrypt it.

UltraVNC

[ultravnc]
passwd=5FAEBBD0EF0A2413

RealVNC

In RealVNC the hashed password is located in the following registry key:

reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

Putty

Putty clear text proxy credentials can be found in the following directory:

reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"

Registry

Registry can be queried as in some occasions might contain credentials.

PowerSploit

PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry: